Update dependency wrangler to v2.20.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
wrangler (source)	2.1.10 -> 2.20.2

GitHub Vulnerability Alerts

CVE-2023-3348

Impact

The Wrangler command line tool (<=wrangler@3.1.0 or <=wrangler@2.20.1) was affected by a directory traversal vulnerability when running a local development server for Pages (wrangler pages dev command). This vulnerability enabled an attacker in the same network as the victim to connect to the local development server and access the victim's files present outside of the directory for the development server.

Patches

Wrangler2: Upgrade to v2.20.1 or higher.
Wrangler3: Upgrade to v3.1.1 or higher.

References

Workers SDK on Github
Wrangler docs
CVE-2023-3348

CVE-2023-7080

Impact

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging. wrangler dev would previously start an inspector server listening on all network interfaces. This would allow an attacker on the local network to connect to the inspector and run arbitrary code. Additionally, the inspector server did not validate Origin/Host headers, granting an attacker that can trick any user on the local network into opening a malicious website the ability to run code. If wrangler dev --remote was being used, an attacker could access production resources if they were bound to the worker.

Patches

This issue was fixed in wrangler@3.19.0 and wrangler@2.20.2. Whilst wrangler dev's inspector server listens on local interfaces by default as of wrangler@3.16.0, an SSRF vulnerability in miniflare allowed access from the local network until wrangler@3.18.0. wrangler@3.19.0 and wrangler@2.20.2 introduced validation for the Origin/Host headers.

Workarounds

Unfortunately, Wrangler doesn't provide any configuration for which host that inspector server should listen on. Please upgrade to at least wrangler@3.16.0, and configure Wrangler to listen on local interfaces instead with wrangler dev --ip 127.0.0.1 to prevent SSRF. This removes the local network as an attack vector, but does not prevent an attack from visiting a malicious website.

References

• https://github.com/cloudflare/workers-sdk/issues/4430
• https://github.com/cloudflare/workers-sdk/pull/4437
• https://github.com/cloudflare/workers-sdk/pull/4535
• https://github.com/cloudflare/workers-sdk/pull/4550

---

Release Notes

cloudflare/workers-sdk (wrangler)

v2.20.2

Compare Source

Patch Changes

• #​4609 c228c912 Thanks @​mrbbot! - fix: pin workerd to 1.20230404.0

• #​4587 49a46960 Thanks @​mrbbot! - Change dev registry and inspector server to listen on 127.0.0.1 instead of all interfaces

• #​4587 49a46960 Thanks @​mrbbot! - fix: validate Host and Orgin headers where appropriate

  Host and Origin headers are now checked when connecting to the inspector proxy. If these don't match what's expected, the request will fail.

v2.20.1

Compare Source

Patch Changes

• #​3820 546c2319 Thanks @​GregBrimble! - fix: Prevent wrangler pages dev from serving asset files outside of the build output directory

v2.20.0

Compare Source

Minor Changes

• #​2966 e351afcf Thanks @​GregBrimble! - feat: Add support for the undocumented _worker.js/ directory in Pages

• #​3095 133c0423 Thanks @​zebp! - feat: add support for placement in wrangler config

  Allows a placement object in the wrangler config with a mode of off or smart to configure Smart placement. Enabling Smart Placement can be done in your wrangler.toml like:

  [placement]
  mode = "smart"

• #​3140 5fd080c8 Thanks @​penalosa! - feat: Support sourcemaps in DevTools

  Intercept requests from DevTools in Wrangler to inject sourcemaps and enable folders in the Sources Panel of DevTools. When errors are thrown in your Worker, DevTools should now show your source file in the Sources panel, rather than Wrangler's bundled output.

Patch Changes

• #​2912 5079f476 Thanks @​petebacondarwin! - fix: do not render "value of stdout.lastframe() is undefined" if the output is an empty string

  Fixes #​2907

• #​3133 d0788008 Thanks @​dario-piotrowicz! - fix pages building not taking into account the nodejs_compat flag (and improve the related error message)

• #​3146 5b234cfd Thanks @​jspspike! - Added output for tail being in "sampling mode"

v2.19.0

Compare Source

Minor Changes

• #​3091 c32f514c Thanks @​edevil! - Added initial commands for integrating with Constellation AI.

v2.18.0

Compare Source

Minor Changes

• #​3098 8818f551 Thanks @​mrbbot! - fix: improve Workers Sites asset upload reliability

  • Wrangler no longer buffers all assets into memory before uploading. This should prevent out-of-memory errors when publishing sites with many large files.
  • Wrangler now limits the number of in-flight asset upload requests to 5, fixing the Too many bulk operations already in progress error.
  • Wrangler now correctly logs upload progress. Previously, the reported percentage was per upload request group, not across all assets.
  • Wrangler no longer logs all assets to the console by default. Instead, it will just log the first 100. The rest can be shown by setting the WRANGLER_LOG=debug environment variable. A splash of colour has also been added.

v2.17.0

Compare Source

Minor Changes

• #​3004 6d5000a7 Thanks @​rozenmd! - feat: teach wrangler docs to use algolia search index

  This PR lets you search Cloudflare's entire docs via wrangler docs [search term here].

  By default, if the search fails to find what you're looking for, you'll get an error like this:

  ✘ [ERROR] Could not find docs for: <search term goes here>. Please try again with another search term.
  

  If you provide the --yes or -y flag, wrangler will open the docs to https://developers.cloudflare.com/workers/wrangler/commands/, even if the search fails.

v2.16.0

Compare Source

Minor Changes

• #​3058 1bd50f56 Thanks @​mrbbot! - chore: upgrade miniflare@3 to 3.0.0-next.13

  Notably, this adds native support for Windows to wrangler dev --experimental-local, logging for incoming requests, and support for a bunch of newer R2 features.

Patch Changes

• #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable persistence without --persist in --experimental-local

  This ensures --experimental-local doesn't persist data on the file-system, unless the --persist flag is set.
  Data is still always persisted between reloads.

• #​3055 5f48c405 Thanks @​rozenmd! - fix: Teach D1 commands to read auth configuration from wrangler.toml

  This PR fixes a bug in how D1 handles a user's accounts. We've updated the D1 commands to read from config (typically via wrangler.toml) before trying to run commands. This means if an account_id is defined in config, we'll use that instead of erroring out when there are multiple accounts to pick from.

  Fixes #​3046

• #​3058 1bd50f56 Thanks @​mrbbot! - fix: disable route validation when using --experimental-local

  This ensures wrangler dev --experimental-local doesn't require a login or an internet connection if a route is configured.

v2.15.1

Compare Source

Patch Changes

• #​2783 4c55baf9 Thanks @​GregBrimble! - feat: Add **/*.wasm?module as default module rule (alias of **/*.wasm)

• #​2989 86e942bb Thanks @​GregBrimble! - fix: Durable Object proxying websockets over local dev registry

v2.15.0

Compare Source

Minor Changes

• #​2769 0a779904 Thanks @​penalosa! - feature: Support modules with --no-bundle

  When the --no-bundle flag is set, Wrangler now has support for uploading additional modules alongside the entrypoint. This will allow modules to be imported at runtime on Cloudflare's Edge. This respects Wrangler's module rules configuration, which means that only imports of non-JS modules will trigger an upload by default. For instance, the following code will now work with --no-bundle (assuming the example.wasm file exists at the correct path):

  // index.js
  import wasm from './example.wasm'
  
  export default {
    async fetch() {
      await WebAssembly.instantiate(wasm, ...)
      ...
    }
  }

  For JS modules, it's necessary to specify an additional module rule (or rules) in your wrangler.toml to configure your modules as ES modules or Common JS modules. For instance, to upload additional JavaScript files as ES modules, add the following module rule to your wrangler.toml, which tells Wrangler that all **/*.js files are ES modules.

  rules = [
    { type = "ESModule", globs = ["**/*.js"]},
  ]

  If you have Common JS modules, you'd configure Wrangler with a CommonJS rule (the following rule tells Wrangler that all .cjs files are Common JS modules):

  rules = [
    { type = "CommonJS", globs = ["**/*.cjs"]},
  ]

  In most projects, adding a single rule will be sufficient. However, for advanced usecases where you're mixing ES modules and Common JS modules, you'll need to use multiple rule definitions. For instance, the following set of rules will match all .mjs files as ES modules, all .cjs files as Common JS modules, and the nested/say-hello.js file as Common JS.

  rules = [
    { type = "CommonJS", globs = ["nested/say-hello.js", "**/*.cjs"]},
    { type = "ESModule", globs = ["**/*.mjs"]}
  ]

  If multiple rules overlap, Wrangler will log a warning about the duplicate rules, and will discard additional rules that matches a module. For example, the following rule configuration classifies dep.js as both a Common JS module and an ES module:

  rules = [
    { type = "CommonJS", globs = ["dep.js"]},
    { type = "ESModule", globs = ["dep.js"]}
  ]

  Wrangler will treat dep.js as a Common JS module, since that was the first rule that matched, and will log the following warning:

  ▲ [WARNING] Ignoring duplicate module: dep.js (esm)
  

  This also adds a new configuration option to wrangler.toml: base_dir. Defaulting to the directory of your Worker's main entrypoint, this tells Wrangler where your additional modules are located, and determines the module paths against which your module rule globs are matched.

  For instance, given the following directory structure:

  - wrangler.toml
  - src/
    - index.html
    - vendor/
      - dependency.js
    - js/
      - index.js
  

  If your wrangler.toml had main = "src/js/index.js", you would need to set base_dir = "src" in order to be able to import src/vendor/dependency.js and src/index.html from src/js/index.js.

Patch Changes

• #​2957 084b2c58 Thanks @​esimons! - fix: Respect querystring params when calling .fetch on a worker instantiated with unstable_dev

  Previously, querystring params would be stripped, causing issues for test cases that depended on them. For example, given the following worker script:

  export default {
  	fetch(req) {
  		const url = new URL(req.url);
  		const name = url.searchParams.get("name");
  		return new Response("Hello, " + name);
  	},
  };

  would fail the following test case:

  const worker = await unstable_dev("script.js");
  const res = await worker.fetch("http://worker?name=Walshy");
  const text = await res.text();
  // Following fails, as returned text is 'Hello, null'
  expect(text).toBe("Hello, Walshy");

• #​2840 e311bbbf Thanks @​mrbbot! - fix: make WRANGLER_LOG case-insensitive, warn on unexpected values, and fallback to log if invalid

  Previously, levels set via the WRANGLER_LOG environment-variable were case-sensitive.
  If an unexpected level was set, Wrangler would fallback to none, hiding all logs.
  The fallback has now been switched to log, and lenient case-insensitive matching is used when setting the level.

• #​2044 eebad0d9 Thanks @​kuba-orlik! - fix: allow programmatic dev workers to be stopped and started in a single session

• #​2735 3f7a75cc Thanks @​JacobMGEvans! - Fix: Generate Remote URL
  Previous URL was pointing to the old cloudflare/templates repo,
  updated the URL to point to templates in the workers-sdk monorepo.

v2.14.0

Compare Source

Minor Changes

• #​2942 dc1465ea Thanks @​mrbbot! - chore: upgrade miniflare to 2.13.0

• #​2914 9af1a640 Thanks @​edevil! - feat: add support for send email bindings

  Support send email bindings in order to send emails from a worker. There
  are three types of bindings:

  • Unrestricted: can send email to any verified destination address.
  • Restricted: can only send email to the supplied destination address (which
    does not need to be specified when sending the email but also needs to be a
    verified destination address).
  • Allowlist: can only send email to the supplied list of verified destination
    addresses.

Patch Changes

• #​2931 5f6c4c0c Thanks @​Skye-31! - Fix: Pages Dev incorrectly allowing people to turn off local mode

  Local mode is not currently supported in Pages Dev, and errors when people attempt to use it. Previously, wrangler hid the "toggle local mode" button when using Pages dev, but this got broken somewhere along the line.

v2.13.0

Compare Source

Minor Changes

• #​2905 6fd06241 Thanks @​edevil! - feat: support external imports from cloudflare:... prefixed modules

  Going forward Workers will be providing built-in modules (similar to node:...) that can be imported using the cloudflare:... prefix. This change adds support to the Wrangler bundler to mark these imports as external.

• #​2607 163dccf4 Thanks @​jspspike@gmail.com! - feature: add wrangler deployment view and wrangler rollback subcommands

wrangler deployments view [deployment-id] will get the details of a deployment, including bindings and usage model information.
This information can be used to help debug bad deployments.

wrangler rollback [deployment-id] will rollback to a specific deployment in the runtime. This will be useful in situations like recovering from a bad
deployment quickly while resolving issues. If a deployment id is not specified wrangler will rollback to the previous deployment. This rollback only changes the code in the runtime and doesn't affect any code or configurations
in a developer's local setup.

wrangler deployments list will list the 10 most recent deployments. This command originally existed as wrangler deployments

example of view <deployment-id> output:

v2.12.3

Compare Source

Patch Changes

• #​2884 e33bea9b Thanks @​WalshyDev! - Changed console.debug for logger.debug in Pages uploading. This will ensure the debug logs are only sent when debug logging is enabled with WRANGLER_LOG=debug.

• #​2878 6ebb23d5 Thanks @​rozenmd! - feat: Add D1 binding support to Email Workers

  This PR makes it possible to query D1 from an Email Worker, assuming a binding has been setup.

  As D1 is in alpha and not considered "production-ready", this changeset is a patch, rather than a minor bump to wrangler.

v2.12.2

Compare Source

Patch Changes

• #​2873 5bcc333d Thanks @​GregBrimble! - fix: Prevent compile loop when using _worker.js and wrangler pages dev

v2.12.1

Compare Source

Patch Changes

• #​2839 ad4b123b Thanks @​mrbbot! - fix: remove vitest from wrangler init's generated tsconfig.json types array

  Previously, wrangler init generated a tsconfig.json with "types": ["@​cloudflare/workers-types", "vitest"], even if Vitest tests weren't generated.
  Unlike Jest, Vitest doesn't provide global APIs by default, so there's no need for ambient types.

• #​2806 8d462c0c Thanks @​GregBrimble! - chore: Remove the --experimental-worker-bundle option from Pages Functions

• #​2845 e3c036d7 Thanks @​Cyb3r-Jak3! - feature: include .wrangler directory in gitignore template used with wrangler init

• #​2806 8d462c0c Thanks @​GregBrimble! - feat: Add --outdir as an option when running wrangler pages functions build.

  This deprecates --outfile when building a Pages Plugin with --plugin.

  When building functions normally, --outdir may be used to produce a human-inspectable format of the _worker.bundle that is produced.

• #​2806 8d462c0c Thanks @​GregBrimble! - Enable bundling in Pages Functions by default.

  We now enable bundling by default for a functions/ folder and for an _worker.js in Pages Functions. This allows you to use external modules such as Wasm. You can disable this behavior in Direct Upload projects by using the --no-bundle argument in wrangler pages publish and wrangler pages dev.

• #​2836 42fb97e5 Thanks @​GregBrimble! - fix: preserve the entrypoint filename when running wrangler publish --outdir <dir>.

  Previously, this entrypoint filename would sometimes be overwritten with some internal filenames. It should now be based off of the entrypoint you provide for your Worker.

• #​2828 891ddf19 Thanks @​GregBrimble! - fix: Bring pages dev logging in line with dev proper's

  wrangler pages dev now defaults to logging at the log level (rather than the previous warn level), and the pages prefix is removed.

• #​2855 226e63fa Thanks @​GregBrimble! - fix: --experimental-local with wrangler pages dev

  We previously had a bug which logged an error (local worker: TypeError: generateASSETSBinding2 is not a function). This has now been fixed.

• #​2831 2b641765 Thanks @​Skye-31! - Fix: Show correct link for how to create an API token in a non-interactive environment

v2.12.0

Compare Source

Minor Changes

• #​2810 62784131 Thanks @​mrbbot! - chore: upgrade @miniflare/tre to 3.0.0-next.12, incorporating changes from 3.0.0-next.11

  Notably, this brings the following improvements to wrangler dev --experimental-local:

  • Adds support for Durable Objects and D1
  • Fixes an issue blocking clean exits and script reloads
  • Bumps to better-sqlite3@​8, allowing installation on Node 19

• #​2665 4756d6a1 Thanks @​alankemp! - Add new [unsafe.metadata] section to wrangler.toml allowing arbitary data to be added to the metadata section of the upload

Patch Changes

• #​2539 3725086c Thanks @​GregBrimble! - feat: Add support for the nodejs_compat Compatibility Flag when bundling a Worker with Wrangler

  This new Compatibility Flag is incompatible with the legacy --node-compat CLI argument and node_compat configuration option. If you want to use the new runtime Node.js compatibility features, please remove the --node-compat argument from your CLI command or your config file.

v2.11.1

Compare Source

Patch Changes

• #​2795 ec3e181e Thanks @​penalosa! - fix: Adds a duplex: "half" property to R2 fetch requests with stream bodies in order to be compatible with undici v5.20

• #​2789 4ca8c0b0 Thanks @​GregBrimble! - fix: Support overriding the next URL in subsequent executions with next("/new-path") from within a Pages Plugin

v2.11.0

Compare Source

Minor Changes

• #​2651 a9adfbe7 Thanks @​penalosa! - Previously, wrangler dev would not work if the root of your zone wasn't behind Cloudflare. This behaviour has changed so that now only the route which your Worker is exposed on has to be behind Cloudflare.

• #​2708 b3346cfb Thanks @​Skye-31! - Feat: Pages now supports Proxying (200 status) redirects in it's _redirects file

  This will look something like the following, where a request to /users/123 will appear as that in the browser, but will internally go to /users/[id].html.

  /users/:id /users/[id] 200
  

Patch Changes

• #​2766 7912e63a Thanks @​mrbbot! - fix: correctly detect service-worker format when using typeof module

  Wrangler automatically detects whether your code is a modules or service-worker format Worker based on the presence of a default export. This check currently works by building your entrypoint with esbuild and looking at the output metafile.

  Previously, we were passing format: "esm" to esbuild when performing this check, which enables format conversion. This may introduce export default into the built code, even if it wasn't there to start with, resulting in incorrect format detections.

  This change removes format: "esm" which disables format conversion when bundling is disabled. See https://esbuild.github.io/api/#format for more details.

• #​2780 80f1187a Thanks @​GregBrimble! - fix: Ensure we don't mangle internal constructor names in the wrangler bundle when building with esbuild

  Undici changed how they referenced FormData, which meant that when used in our bundle process, we were failing to upload multipart/form-data bodies. This affected wrangler pages publish and wrangler publish.

• #​2720 de0cb57a Thanks @​JacobMGEvans! - Fix: Upgraded to ES2022 for improved compatibility
  Upgraded worker code target version from ES2020 to ES2022 for better compatibility and unblocking of a workaround related to issue #​2029. The worker runtime now uses the same V8 version as recent Chrome and is 99% ES2016+ compliant. The only thing we don't support on the Workers runtime, the remaining 1%, is the ES2022 RegEx feature as seen in the compat table for the latest Chrome version.

  Compatibility table: https://kangax.github.io/compat-table/es2016plus/

  resolves #​2716

• #​2771 4ede044e Thanks @​mrbbot! - chore: upgrade miniflare to 2.12.1 and @miniflare/tre to 3.0.0-next.10

v2.10.0

Compare Source

Minor Changes

• #​2567 02ea098e Thanks @​matthewdavidrodgers! - Add mtls-certificate commands and binding support

  Functionality implemented first as an api, which is used in the cli standard
  api commands

  Note that this adds a new OAuth scope, so OAuth users will need to log out and
  log back in to use the new 'mtls-certificate' commands
  However, publishing with mtls-certifcate bindings (bindings of type
  'mtls_certificate') will work without the scope.

• #​2717 c5943c9f Thanks @​mrbbot! - Upgrade miniflare to 2.12.0, including support for R2 multipart upload bindings, the nodejs_compat compatibility flag, D1 fixes and more!

• #​2579 bf558bdc Thanks @​JacobMGEvans! - Added additional fields to the output of wrangler deployments command. The additional fields are from the new value in the response annotations which includes workers/triggered_by and rollback_from

  Example:

  Deployment ID: Galaxy-Class
  Created on:    2021-01-04T00:00:00.000000Z
  
  Trigger:       Upload from Wrangler 🤠
  Rollback from: MOCK-DEPLOYMENT-ID-2222
  

Patch Changes

• #​2624 882bf592 Thanks @​CarmenPopoviciu! - Add wasm support in wrangler pages publish

  Currently it is not possible to import wasm modules in either Pages
  Functions or Pages Advanced Mode projects.

  This commit caries out work to address the aforementioned issue by
  enabling wasm module imports in wrangler pages publish. As a result,
  Pages users can now import their wasm modules withing their Functions
  or _worker.js files, and wrangler pages publish will correctly
  bundle everything and serve these "external" modules.

• #​2683 68a2a19e Thanks @​mrbbot! - Fix internal middleware system to allow D1 databases and --test-scheduled to be used together

• #​2609 58ac8a78 Thanks @​dario-piotrowicz! - fix: make sure that the pages publish --no-bundle flag is correctly recognized

• #​2696 4bc78470 Thanks @​rozenmd! - fix: don't throw an error when omitting preview_database_id, warn instead

• #​2715 e33294b0 Thanks @​rozenmd! - fix: make it possible to run SQL against preview databases

• #​2685 2b1177ad Thanks @​CarmenPopoviciu! - You can now import Wasm modules in Pages Functions and Pages Functions Advanced Mode (_worker.js).
  This change specifically enables wasm module imports in wrangler pages functions build.
  As a result, Pages users can now import their wasm modules within their Functions or
  _worker.js files, and wrangler pages functions build will correctly bundle everything
  and output the expected result file.

v2.9.1

Compare Source

Patch Changes

• #​2652 2efd4537 Thanks @​mrkldshv! - fix: change jest to vitest types in generated TypeScript config

• #​2657 8d21b2ea Thanks @​rozenmd! - fix: remove the need to login when running d1 migrations list --local

• #​2592 dd66618b Thanks @​rozenmd! - fix: bump esbuild to 0.16.3 (fixes a bug in esbuild's 0.15.13 release that would cause it to hang, is the latest release before a major breaking change that requires us to refactor)

v2.9.0

Compare Source

Minor Changes

• #​2629 151733e5 Thanks @​mrbbot! - Prefer the workerd exports condition when bundling.

  This can be used to build isomorphic libraries that have different implementations depending on the JavaScript runtime they're running in.
  When bundling, Wrangler will try to load the workerd key.
  This is the standard key for the Cloudflare Workers runtime.
  Learn more about the conditional exports field here.

Patch Changes

• #​2409 89d78c0a Thanks @​penalosa! - Wrangler now supports an --experimental-json-config flag which will read your configuration from a wrangler.json file, rather than wrangler.toml. The format of this file is exactly the same as the wrangler.toml configuration file, except that the syntax is JSONC (JSON with comments) rather than TOML. This is experimental, and is not recommended for production use.

• #​2623 04d8a312 Thanks @​dario-piotrowicz! - fix d1 directory not being created when running the wrangler d1 execute command with the --yes/-y flag

• #​2608 70daffeb Thanks @​dario-piotrowicz! - fix: Add support for D1 databases when bundling an _worker.js on wrangler pages publish

• #​2597 416babf0 Thanks @​petebacondarwin! - fix: do not crash in wrangler dev when passing a request object to fetch

  This reverts and fixes the changes in https://github.com/cloudflare/workers-sdk/pull/1769
  which does not support creating requests from requests whose bodies have already been consumed.

  Fixes #​2562

• #​2622 9778b33e Thanks @​rozenmd! - fix: implement d1 list --json with clean output for piping into other commands

  Before:

v2.8.1

Compare Source

Patch Changes

• #​2501 a0e5a491 Thanks @​geelen! - fix: make it possible to query d1 databases from durable objects

  This PR makes it possible to access D1 from Durable Objects.

  To be able to query D1 from your Durable Object, you'll need to install the latest version of wrangler, and redeploy your Worker.

  For a D1 binding like:

  [[d1_databases]]
  binding = "DB" # i.e. available in your Worker on env.DB
  database_name = "my-database-name"
  database_id = "UUID-GOES-HERE"
  preview_database_id = "UUID-GOES-HERE"

  You'll be able to access your D1 database via env.DB in your Durable Object.

• #​2280 ef110923 Thanks @​penalosa! - Support queue and trace events in module middleware. This means that queue and trace events should work properly with the --test-scheduled flag

• #​2526 69d379a4 Thanks @​jrf0110! - Adds unstable_pages module to JS API

• #​2558 b910f644 Thanks @​caass! - Add metrics for deployments

• #​2554 fbeaf609 Thanks @​CarmenPopoviciu! - feat: Add support for wasm module imports in wrangler pages dev

  Currently it is not possible to import wasm modules in either Pages
  Functions or Pages Advanced Mode projects.

  This commit caries out work to address the aforementioned issue by
  enabling wasm module imports in wrangler pages dev. As a result,
  Pages users can now import their wasm modules withing their Functions
  or _worker.js files, and wrangler pages dev will correctly bundle
  everything and serve these "external" modules.

  import hello from "./hello.wasm"
  
  export async function onRequest() {
  	const module = await WebAssembly.instantiate(hello);
  	return new Response(module.exports.hello);
  }
  

• #​2563 5ba39569 Thanks @​CarmenPopoviciu! - fix: Copy module imports related files to outdir

  When we bundle a Worker esbuild takes care of writing the
  results to the output directory. However, if the Worker contains
  any external imports, such as text/wasm/binary module imports,
  that cannot be inlined into the same bundle file, bundleWorker
  will not copy these files to the output directory. This doesn't
  affect wrangler publish per se, because of how the Worker
  upload FormData is created. It does however create some
  inconsistencies when running wrangler publish --outdir or
  wrangler publish --outdir --dry-run, in that, outdir will
  not contain those external import files.

  This commit addresses this issue by making sure the aforementioned
  files do get copied over to outdir together with esbuild's
  resulting bundle files.

v2.8.0

Compare Source

Minor Changes

• #​2538 af4f27c5 Thanks @​edevil! - feat: support EmailEvent event type in wrangler tail.

• #​2404 3f824347 Thanks @​petebacondarwin! - feat: support bundling the raw Pages _worker.js before deploying

  Previously, if you provided a _worker.js file, then Pages would simply check the
  file for disallowed imports and then deploy the file as-is.

  Not bundling the _worker.js file means that it cannot containing imports to other
  JS files, but also prevents Wrangler from adding shims such as the one for the D1 alpha
  release.

  This change adds the ability to tell Wrangler to pass the _worker.js through the
  normal Wrangler bundling process before deploying by setting the --bundle
  command line argument to wrangler pages dev and wrangler pages publish.

  This is in keeping with the same flag for wrangler publish.

  Currently bundling is opt-in, flag defaults to false if not provided.

Patch Changes

• #​2525 fe8c6917 Thanks @​rozenmd! - fix: send wrangler docs d1 to the right place

• #​2542 b44e1a75 Thanks @​GregBrimble! - chore: Rename --bundle to --no-bundle in Pages commands to make similar to Workers

• #​2551 bfffe595 Thanks @​rozenmd! - fix: wrangler init --from-dash incorrectly expects index.ts while writing index.js

  This PR fixes a bug where Wrangler would write a wrangler.toml expecting an index.ts file, while writing an index.js file.

• #​2529 2270507c Thanks @​CarmenPopoviciu! - Remove "experimental _routes.json" warnings

  _routes.json is no longer considered an experimental feature, so let's
  remove all warnings we have in place for that.

• #​2548 4db768fa Thanks @​rozenmd! - fix: path should be optional for wrangler d1 backup download

  This PR fixes a bug that forces folks to provide a --output flag to wrangler d1 backup download.

• #​2528 18208091 Thanks @​caass! - Add some guidance when folks encounter a 10021 error.

  Error code 10021 can occur when your worker doesn't pass startup validation. This error message will make it a little easier to reason about what happened and what to do next.

  Closes #​2519

• #​1769 6a67efe9 Thanks @​dario-piotrowicz! - allow fetch() calls locally to accept URL Objects

v2.7.1

Compare Source

Patch Changes

• #​2523 a5e9958c Thanks @​jahands! - fix: unstable_dev() experimental options incorrectly applying defaults

  A subtle difference when removing object-spreading of experimental unstable_dev() options caused wrangler pages dev interactivity to stop working. This switches back to object-spreading the passed in options on top of the defaults, fixing the issue.

v2.7.0

Compare Source

Minor Changes

• #​2465 e1c2f5b9 Thanks @​JacobMGEvans! - After this PR, wrangler init --yes will generate a test for your new Worker project, using Vitest with TypeScript.
  When using wrangler init, and choosing to create a Typescript project, you will now be asked if Wrangler should write tests for you, using Vitest.

  This resolves issue #​2436.

• #​2333 71691421 Thanks @​markjmiller! - Remove the experimental binding warning from Dispatch Namespace since it is GA.

Patch Changes

• #​2460 c2b2dfb8 Thanks @​rozenmd! - fix: resolve unstable_dev flakiness in tests by awaiting the dev registry

• #​2439 616f8739 Thanks @​petebacondarwin! - fix(wrangler): do not login or read wrangler.toml when applying D1 migrations in local mode.

  When applying D1 migrations to a deployed database, it is important that we are logged in
  and that we have the database ID from

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.